content
content copied to clipboard
ComplianceAsCode
Add templates to handle detection of most Firefox Policy STIG items. (WIP)
Description:
Implement detection OVAL and remediation scripts to cover several manual STIGs for Mozilla Firefox's administrative policy.
Rationale:
Firefox uses a more complex JSON structure than Chromium does (at least for currently implemented items), and I'd like to be able to extend automagical remediations to cover the manual DISA STIG (especially as the automatic upstream SCAP benchmark has gone poof).
Hi @lenox-joseph. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello @lenox-joseph! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:
There are currently no PEP 8 issues detected in this Pull Request. Cheers! :beers:
Comment last updated at 2022-06-08 22:19:02 UTC
Failure is because the test system is trying to find the rules in the wrong prodtype, no idea how to address this in the build system.
Title Set Firefox Configuration File Location Rule xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file Result error
Title Disable Firefox Configuration File ROT-13 Encoding Rule xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure Result error
I didn't touch anything anywhere near these rules (both are self-contained), so I have no idea what could have broken on your test system.
@Mab879 should be good to look at again. I didn't realize that someone had extended the diff system to allow testing of the firefox datastream now.
@Mab879 I'd also like to get this into remediation sets for work, although I understand if there's extra trepidation at adding these remediations (at this point I don't think it's feasible to add Ansible remediations without writing up a module to go with it).
This failure seems like something in master as I don't have any Kubernetes remediations in this PR, especially since there weren't any failures before I rebased.
The content looks good.
@matejak can you take a look the remediation script?
@matejak those failed tests look like something in the baseline as I don't have any Kubernetes remediation implemented.
@matejak FYI, new commits are because there were some revisions from the upstream DISA changes.
The PR touches multiple aspects of the template and test capabilities of the project, so please be patient - it will take a few more iterations to get everything through.
Rebase because some of the test hacks I was using that are unique to my dev environment were accidentally leaked into the branch.
Code Climate has analyzed commit b66c5b6c and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 26.1% (0.0% change).
View more on Code Climate.
![codeclimate[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
@lenox-joseph: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-aws-rhcos4-e8 | b66c5b6c4cb8bd2a93c85745da86b8a008b24541 | link | true | /test e2e-aws-rhcos4-e8 |
| ci/prow/e2e-aws-rhcos4-moderate | b66c5b6c4cb8bd2a93c85745da86b8a008b24541 | link | true | /test e2e-aws-rhcos4-moderate |
| ci/prow/e2e-aws-rhcos4-high | b66c5b6c4cb8bd2a93c85745da86b8a008b24541 | link | true | /test e2e-aws-rhcos4-high |
| ci/prow/e2e-aws-ocp4-stig-node | b66c5b6c4cb8bd2a93c85745da86b8a008b24541 | link | true | /test e2e-aws-ocp4-stig-node |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
@lenox-joseph: PR needs rebase.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.